A Python package named “colourfool” has been found to contain a fully-featured information stealer and remote access trojan. The malware, called “Colour-Blind,” was identified by Kroll’s Cyber Threat Intelligence team, and the rogue Python module conceals its malicious code in the setup script.
The trojan is feature-rich and can gather passwords, terminate applications, take screenshots, log keystrokes, and even snoop on victims via the web camera. This discovery comes as threat actors are leveraging the source code associated with W4SP stealer to spawn copycat versions that are distributed via Python packages.
The malware performs defense evasion checks to determine if it’s being executed in a sandbox, and it establishes persistence by means of a Visual Basic script and uses transfer[.]sh for data exfiltration.
As a method of remote control, the malware starts a Flask web application, which it makes accessible to the internet via Cloudflare’s reverse tunnel utility “cloudflared,” bypassing any inbound firewall rules.
Researchers at Kroll warn that the ‘Colour-Blind’ malware points to the democratization of cybercrime that could lead to an intensified threat landscape as multiple variants can be spawned from code sourced from others.
Phylum also discovered three more packages, called pycolured, pycolurate, and colurful, that have been used to deliver a Go-based remote access trojan referred to as Spark.
Additionally, the software supply chain security firm revealed details of a massive attack campaign wherein unknown threat actors published as many as 1,138 packages to deploy a Rust executable, which is then used to drop additional malware binaries.
Kroll researchers warn that the risk/reward proposition for attackers is well worth the relatively minuscule time and effort, and the loss of a few bitcoin pales in comparison to the potential damage of the loss of a developer’s SSH keys in a large enterprise such as a corporation or government.